windows7 machine authentication
alois blasbichler
alois.blasbichler at sb-brixen.it
Wed Aug 25 14:53:01 CEST 2010
Hello list
Thank you for all the hints.
I have created a new certificate and installed the ca.der on my laptop.
I alos upgraded my freeradius to the latest version 2.1.9
But no luck i get allways the same error.
Wath can i do ?
Maybe its a configuration problem ?
Below my full log
By luis
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=50, length=189
User-Name = "host/lap-med22"
Calling-Station-Id = "70-F1-A1-49-50-41"
Called-Station-Id = "00-0B-85-95-70-80:Info"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message = 0x0202001301686f73742f6c61702d6d65643232
Message-Authenticator = 0x4d6e3ece3717885ed203938b4b177a2c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type)
? Evaluating (NAS-IP-Address == 10.53.240.10 ) -> TRUE
? Evaluating !(Service-Type) -> FALSE
++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) -> FALSE
++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type)
? Evaluating (NAS-IP-Address == 10.53.240.12 ) -> FALSE
? Skipping (Service-Type)
++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) -> FALSE
++? if (NAS-IP-Address != 10.53.240.1)
? Evaluating (NAS-IP-Address != 10.53.240.1) -> TRUE
++? if (NAS-IP-Address != 10.53.240.1) -> TRUE
++- entering if (NAS-IP-Address != 10.53.240.1) {...}
[ldap-switch] performing user authorization for host/lap-med22
[ldap-switch] WARNING: Deprecated conditional expansion ":-". See
"man unlang" for details
[ldap-switch] ... expanding second conditional
[ldap-switch] expand: %{User-Name} -> host/lap-med22
[ldap-switch] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=host/lap-med22)
[ldap-switch] expand: ou=users,dc=sb-brixen,dc=it ->
ou=users,dc=sb-brixen,dc=it
[ldap-switch] ldap_get_conn: Checking Id: 0
[ldap-switch] ldap_get_conn: Got Id: 0
[ldap-switch] attempting LDAP reconnection
[ldap-switch] (re)connect to titan:389, authentication 0
[ldap-switch] bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to titan:389
[ldap-switch] waiting for bind result ...
[ldap-switch] Bind was successful
[ldap-switch] performing search in ou=users,dc=sb-brixen,dc=it,
with filter (uid=host/lap-med22)
[ldap-switch] object not found
[ldap-switch] search failed
[ldap-switch] ldap_release_conn: Release Id: 0
+++[ldap-switch] returns notfound
++- if (NAS-IP-Address != 10.53.240.1) returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 50 to 10.53.240.10 port 32769
EAP-Message = 0x0103001604109802abd36e067bc4f583f77e64d7fd78
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa4b56f0aa4b66ba726c3f3167b686aac
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=51, length=194
User-Name = "host/lap-med22"
Calling-Station-Id = "70-F1-A1-49-50-41"
Called-Station-Id = "00-0B-85-95-70-80:Info"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message = 0x020300060319
State = 0xa4b56f0aa4b66ba726c3f3167b686aac
Message-Authenticator = 0x235cc52e5b1a1f50911c8fa4f061e070
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type)
? Evaluating (NAS-IP-Address == 10.53.240.10 ) -> TRUE
? Evaluating !(Service-Type) -> FALSE
++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) -> FALSE
++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type)
? Evaluating (NAS-IP-Address == 10.53.240.12 ) -> FALSE
? Skipping (Service-Type)
++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) -> FALSE
++? if (NAS-IP-Address != 10.53.240.1)
? Evaluating (NAS-IP-Address != 10.53.240.1) -> TRUE
++? if (NAS-IP-Address != 10.53.240.1) -> TRUE
++- entering if (NAS-IP-Address != 10.53.240.1) {...}
[ldap-switch] performing user authorization for host/lap-med22
[ldap-switch] WARNING: Deprecated conditional expansion ":-". See
"man unlang" for details
[ldap-switch] ... expanding second conditional
[ldap-switch] expand: %{User-Name} -> host/lap-med22
[ldap-switch] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=host/lap-med22)
[ldap-switch] expand: ou=users,dc=sb-brixen,dc=it ->
ou=users,dc=sb-brixen,dc=it
[ldap-switch] ldap_get_conn: Checking Id: 0
[ldap-switch] ldap_get_conn: Got Id: 0
[ldap-switch] performing search in ou=users,dc=sb-brixen,dc=it,
with filter (uid=host/lap-med22)
[ldap-switch] object not found
[ldap-switch] search failed
[ldap-switch] ldap_release_conn: Release Id: 0
+++[ldap-switch] returns notfound
++- if (NAS-IP-Address != 10.53.240.1) returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 51 to 10.53.240.10 port 32769
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa4b56f0aa5b176a726c3f3167b686aac
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=52, length=311
User-Name = "host/lap-med22"
Calling-Station-Id = "70-F1-A1-49-50-41"
Called-Station-Id = "00-0B-85-95-70-80:Info"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message =
0x0204007b198000000071160301006c0100006803014c75110436e3af283bc4a944b96fcefb76c5acce50932a0229b8348d9a5ec2e7000018002f00350005000ac013c014c009c00a003200380013000401000027ff010001000000000e000c0000096c61702d6d65643232000a0006000400170018000b00020100
State = 0xa4b56f0aa5b176a726c3f3167b686aac
Message-Authenticator = 0x7551f3a129c2ecbc72b403e8daef8139
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 123
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 113
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006c], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0868], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 52 to 10.53.240.10 port 32769
EAP-Message =
0x0105040019c0000008a5160301002a0200002603014c7511040a1f47ebac9cdd8a749bb2432b217afe0f633a8be9daa03a576d98da00002f0016030108680b0008640008610003aa308203a63082028ea003020102020103300d06092a864886f70d0101040500308195310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x2031301e170d3130303832353131353331395a170d3131303832353131353331395a307e310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312530230603550403131c4578616d706c652053657276657220436572746966696361746520313120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b99b74ac48b6560e18a28400df7b6ab44d17c44b925cd3f717d09c4b2fffe153d098ac590428fa0b7573265b0a6b246ff6c58a3ee2246deb030c
EAP-Message =
0xe1e8e89f4fbcc6f323e51cd8fd33c4d4479d7626f3b52dab8f1ae0a4df078438964def0780392356fff2d1e2e4f51bfb9ac7543550733c4cba8ae863aead42e07ec78c6adc414d2a60d5928447fb9995e687d4c2dfa0a3867232f615d5685d0e5b15c6130002bf9bcb5582af0096565f37d97989ce3d14d480dcdb2fa3f7185c935b44baaa76c9e8f5e418f10c6051db265fbf2b6645520ee8df360b2a3ecf4d33134e2132161dd510b48257f774e18cd889913d0bd33ec535b9bbb42ba76cbba5f97ae066a70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009b7b9fb3df
EAP-Message =
0x4157731ba38f645ef8c75197fb9ab855c315823d945ad4975a8d237c33d8736113b3f79845b1836f8882b7ab428782d378634093f67eca885a2d92543f2d25048e20ed3f447c8e4f401ef61f1fe2f5320c285f3c8fdc827a61f80c8c8544c24b6285d2e54b58c803108bb8e0849d93785b2a3d975d0c1f36f9fb96e9f7ae0543480758eb8144822637dc9e0ad00ad5ecb6c5d99ec8c355b83a61ef1aa62a3259248c495e84b3bf3d80ead7132eab7ab651709dec7d4ec58b41aa76bdbdc87a82f82446aa04212451e17f97d30d4f9c39dd2b922016e0abafb71d05c7101726a2270428e630375eabd07db5ef401af920deeae169871816e551da0a0004
EAP-Message = 0xb1308204ad30820395a00302
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa4b56f0aa6b076a726c3f3167b686aac
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=53, length=194
User-Name = "host/lap-med22"
Calling-Station-Id = "70-F1-A1-49-50-41"
Called-Station-Id = "00-0B-85-95-70-80:Info"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message = 0x020500061900
State = 0xa4b56f0aa6b076a726c3f3167b686aac
Message-Authenticator = 0x0f2cdc5ec561a12e183bf717069dd073
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 53 to 10.53.240.10 port 32769
EAP-Message =
0x010603fc19400102020900eeaafc003e703fe4300d06092a864886f70d0101050500308195310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f726974792031301e170d3130303832353131353331395a170d3130303932343131353331395a308195310b3009060355040613024652310f300d060355040813065261646975733112
EAP-Message =
0x301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f72697479203130820122300d06092a864886f70d01010105000382010f003082010a0282010100bb14fb8db7103d66f1b3980347b9d0c210d3a71e3936f66e162ce185c9baf3a6a6a3f31fa5655d2615266bd552b40fdf6f28d1f3a4bf5d24994c633b4bc3a3e662cba09170cb30e2ce10fa92142b35a115877a8b463cb95c2c623b17cf5cf53d88d976eaad0ef2
EAP-Message =
0x23c91253f1e74668de02cebbb996a2bf50ef4a309d19fd928d62a66d786c9c728056d9aa354299dcf03f787ba5b2a25d61a05b8b4662bf87805e98f73555acb96d96e422a0828db4d22009fb020948354f7b5d339c9f5ccd8932504ee0ddb572fa3a999fb6c155af648070321172c6927587e6112a73bec0d6673825a572076b8511b5ff06a2a9ba30368753612e2b27570d7a10097e76db610203010001a381fd3081fa301d0603551d0e04160414bc8ad8d21a2eaa6c110055055989038dbcdd6b0e3081ca0603551d230481c23081bf8014bc8ad8d21a2eaa6c110055055989038dbcdd6b0ea1819ba48198308195310b3009060355040613024652
EAP-Message =
0x310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f726974792031820900eeaafc003e703fe4300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100046580d057157b6af87fd5d796ad99da0e144885fd99dccad5c3fe71be6371f3d95fd529c1fc453044235d565d59bd491613559a4ec29b24e893b3db0b82f835b060b23a9ecb73db
EAP-Message = 0xcd98b5c404f42061
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa4b56f0aa7b376a726c3f3167b686aac
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=54, length=194
User-Name = "host/lap-med22"
Calling-Station-Id = "70-F1-A1-49-50-41"
Called-Station-Id = "00-0B-85-95-70-80:Info"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message = 0x020600061900
State = 0xa4b56f0aa7b376a726c3f3167b686aac
Message-Authenticator = 0x3a249f23d32b56aa04e052b05bccf654
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 54 to 10.53.240.10 port 32769
EAP-Message =
0x010700bf19003d27993820693a246572680ce31e26e01560ed876cefb1fb622ad56b2d329c800af4ce229afce81561597ef797cbc618308623af786a5dc8e9594168f283c10464d91b3fb37d9d97f55380fb67c04e759705f3f158d6753467f9f2afc201119071697daea6dc83396f5b41d08c740c7891bc6c8dbbccdd4e7fcf37ab63faac552fe972d3dfed0dd0688f2a2217ad437eb3e45bdd44079a9f954095ab6143353e9398c2b57b1dcc7c1d325d308d38158816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa4b56f0aa0b276a726c3f3167b686aac
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=55, length=205
User-Name = "host/lap-med22"
Calling-Station-Id = "70-F1-A1-49-50-41"
Called-Station-Id = "00-0B-85-95-70-80:Info"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message = 0x0207001119800000000715030100020230
State = 0xa4b56f0aa0b276a726c3f3167b686aac
Message-Authenticator = 0xf43e6a6a20f23d5df0a151325c5d1711
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [host/lap-med22] (from client ciscosw port 29 cli
70-F1-A1-49-50-41)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/lap-med22
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 55 to 10.53.240.10 port 32769
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 50 with timestamp +9
Cleaning up request 1 ID 51 with timestamp +9
Cleaning up request 2 ID 52 with timestamp +9
Cleaning up request 3 ID 53 with timestamp +9
Cleaning up request 4 ID 54 with timestamp +9
Waking up in 1.0 seconds.
Cleaning up request 5 ID 55 with timestamp +9
Ready to process requests.
More information about the Freeradius-Users
mailing list